One can detect something automatically or look for it. So, the investigation (incident response and digital forensics) can either start from a security alert or threat-hunting. What are artefacts, and how are they different from evidence? What types of artefacts are there, and how to look them out? Let’s dive deeper into what techniques are used to spot the attacker.
Knowing your artefacts and attacks is very useful, but how do you really USE that knowledge to the full potential? This section will combine information from the attacks and artefacts section to suggest possible approached to the investigation.
Before copying evidence or making a disk image, one needs to sterilise the target media to ensure that data on that disk before this operation would not meddle with the evidence data. Several rounds of writing
0s are usually enough.
During live and dead acquisition, it’s important not to mess up with the evidence. Write blockers protect the evidence from accidental tampering the evidence making sure it will be admissible in court.
There are two types of acquisitions: live 🍀 and dead ☠️. Choosing based on the system’s initial state in question is usually preferable. So, for example, if the system is turned on, perform live acquisition first, capturing all volatile data that will be deleted after reboot. Otherwise, jump right to the dead acquisition (if the system is shut down).
This type of acquisition can only happen on a live system. It’s quicker and easier than imaging the drive, but you will miss some data. It’s sometimes the only way to collect data from a mobile device.
A wide range of artefacts can be used to analyse computer activity. Each artefact may vary significantly and require different tools and approaches. Therefore, this section is dedicated to the artefacts database.
This section is designed in the following way: some aspects of computer systems are being analysed, how they work along with possible attacks, their mitigations, bypass techniques for the mitigations and finally the patterns and tools that could be used to detect those attacks. Most of them will have some link to the corresponding artefacts DB section/article.
Reversing malware is a complex topic and is beyond the scope of this article. If you are interested in reversing techniques - refer to the Reverse 🔧 section of this website. However, to reverse engineer something, one first needs to get that something. And to “catch” the malware, one needs to find it. To find it, one needs to know where to look. This article is to aid in that. I will also look into what evidence can be obtained from the malware.
Attackers will attempt to conceal their presence or even plant bogus artefacts to complicate the investigation and potentially lead to incorrect conclusions.
As if investigations were not already complicated enough, we also have to contend with various timestamp formats. There is a wide range of time formats available, and it is crucial to understand the differences in order to create an accurate timeline.
In this section, I am gathering examples of DFIR (Digital Forensics and Incident Response) cases. I may eventually transfer them to the blog section once I develop narratives to contextualise them.
There are various APTs out there. APT stands for Advanced Persistent Threat and can be likened to an illicit, malicious organisation. Security companies often assign unique names to these organisations based on their suspected location. For example, Crowdstrike prefers to name them according to their origin: Chinese actors as Pandas, North Korean as Chollimas, Russian as Bears, etc. The universally accepted and agreed-upon notation among security researchers is the ID-based system, such as APT1, APT2, APT44, etc. APTs have different “handwriting, " which is why the MITRE ATTACK matrix was born. In this section, I explore some of the APTs and techniques they use in a story format to make it easier to remember. For more actors and details, please, use https://www.mandiant.com/, https://www.crowdstrike.com/, https://mitre-attack.github.io/attack-navigator/v2/enterprise/, https://malpedia.caad.fkie.fraunhofer.de/actors for more thorough and detailed review.